Whonix Desktop Installer with Calamares - field report

Patrick · July 18, 2019, 1:31pm

reverse-depends dnsmasq-base

Shows:

Reverse-Recommends
==================
* libvirt-daemon-system
* lxc
* network-manager

Reverse-Depends
===============
* concordance-common
* dnsmasq
* mahimahi
* neutron-dhcp-agent

Try to remove the package and see what happens. Still enough time to abort. Also good to experiment in live mode. Then perhaps try to uninstall another package from that list instead to track further and further. Or uninstall and reinstall one by one using --no-install-recommends and see at which point something would pull the package.

HulaHoop:

Here’s the suggested packages. I hesitate to exclude them because I don’t know what features we need rely on these packages. They are relatively few compared to the mandatory collection anyhow.
Suggested packages:

Suggested packages are never installed by default. Only when using --install-suggests, which I saw never anyone using. This is only about Recommends:.

That list of Suggests: contains packages definitively to be avoided. Packages like gnome-keyring can cause other issues. Just not great to have any packages without really needing those.

As for Recommends: these should not be relied upon. Installation vs non-installation depends on which packages the user already has installed. Therefore this can lead to inconsistent / non-compareable results.

For example dnsmasq-base might recommend dnsmasq for no reason which could then interfere with host DNS. In worst case a world reachable port could be opened.

Another example for what mess it can create:
Installing git-all will delete some Whonix packages

More on why we need --no-install-recommends:
Debian Packages - Whonix

In conclusion we really need start with Debian minimal, then install with and without --no-install-recommends. Understanding the difference in packages being installed and having a basic understanding which each of this different packages would make.

By Debian policy, packages must not depend on any Recommends: being installed for secure configuration. It won’t be that difficult after all. Just some features might break when some package is missing which can be easily fixed when knowing the difference of which packages are missing.

Whonix base install? You mean inside VMs? I wouldn’t know what pulls it . Not existing in Qubes-Whonix. Try to purge it:

sudo apt purge dnsmasq*

It might be a leftover in upgraded images. If it is removable inside Whonix VMs, it should be removed. Just cruft. That could even break alternative DNS resolvers.
(MX / SRV / DNSSEC / any DNS requests over Tor / DNSCrypt) (dnsmasq-base not so much but dnsmasq might create an unwanted listener port.)